Kaseya VSA Gets Hit with Ransomware, REvil Group Linked to Attack

Mason Moran
Senior SOC Analyst   Government Agency

Not Just State Actors Using Supply Chain Attacks!

That’s right folks! The infamous SolarWinds attacks of late 2020, discovered in early 2021 placed supply chain compromise squarely in the middle of media attention. Eventually, this news was enveloped by the ceaseless cadence of new ransomware attacks, and it fell away into memory, until now. REvil, the Ransomware-as-a-Service (RaaS) gang, has been associated with the Microsoft Exchange Server data breach, extorting Lady Gaga, and stealing Apple’s plans for two new laptops and a new Apple Watch.

Who Is REvil?

REvil, first seen as Sodinokibi, is a Ransomware-as-a-Service (RaaS) gang that has been the culprits of many high-profile ransomware attacks since 2020. Independent and government research has suggested that the group is Russian or mostly Russian due to the behavior of not targeting Russian organizations or organizations that were previously part of the former Soviet-bloc. Many experts believe that REvil is the spawn of GandCrab, which was shut down shortly before REvil became active. In the past, they have attacked Donald Trump, Lady Gaga, law firms, schools, technology companies, and infrastructure to include JBS S.A (the meat producing company), and Invenergy, an American power generation company, with Kaseya being their latest victim.

What Is A Supply Chain Compromise?

A supply chain attack is where an actor will attempt to jeopardize any part of the CIA triad (Confidentially, Integrity, or Availability) of a system or any of the information it stores, sends, receives, and processes. This can include the networking components, technology, people, resources, activities, and information that moves throughout the company’s supply chain infrastructure. In a more succinct thought, it can be summarized as a compromise of a company’s development lifecycle, which generally includes: design, manufacturing, production, distribution, installation, operations, and maintenance.

A perfect example of a supply chain attack would be the 2013 compromise of Target. The weak point in this supply chain was a third-party vendor, their HVAC servicing company. The attackers stole credentials from the HVAC company and used those credentials to gain access to Target’s network and conduct lateral movement to a system that stored customer payment data.

That was a fairly obvious example of supply chain compromise, but attackers have been taking advantage of good security practices that most professionals are evangelic about, such as patching, in both the SolarWinds compromise as well as this most recent attack against Kaseya. Kaseya provides remote management solutions and is used widely by Managed Service Providers (MSPs). Attackers are using a malicious update of their VSA software (which is the supply chain compromise) to distribute ransomware.

Discovering REvil

Sophos is the security firm that is conducting the malware analysis on the compromise. Sophos states that the amount of telemetry they receive helped them identify the attack to begin with. Sophos states that the malicious update gives REvil access to the VSA on-premises servers, and from there, ransomware was deployed to all connected clients using internal scripting.

It gets worse though. Once REvil is on the host machines, antivirus is disabled and they deploy a faux Windows Defender application that actually runs the ransomware that encrypts the victims system. This is done by VSA leaving a dropper called agent.crt to the c:\kworking directory. This is what is being distributed as an update called “Kaseya VSA Agent Hot-fix.” Powershell is then used to decode agent.crt and extracts agent.exe into the same directory. Agent.exe comes with a signed certificate from “PBo3 TRANSPORT LTD” and comes embedded with MsMPEng.exe as well as a malicious DLL called mpsvc.dll. It is important to note that MsMPEng.exe is a legitimate, albeit older version of Microsoft Defender that was being used to launch the malicious DLL. Some samples add registry keys relating to the Black Lives Matter movement, and one sample has the REvil safe mode default password as DTrump4ever.

Due to the fact that VSA is used by MSPs, this ransomware attack is wide-spread, affecting over eight MSPs and over 200 businesses that are experiencing their networks being encrypted. Kaseya immediately shut down their SaaS servers as a precautionary measure, although they are fairly confident that SaaS customers were never at risk. They also notified on-premises customers that had VSA servers by e-mail, in-product notices, and phone to immediately shut off their servers to prevent further compromise. They also have identified the vulnerability that was exploited and are working on a patch to mitigate the issue.

They expect to have their SaaS offerings up and running within 24 hours. CISA and the FBI are looking into the issue more as well and will continue to update the general public as more information about this attack becomes known.

The staff at the United States Cybersecurity Magazine will continue to release updates as they become available.


Tags: , , , , , ,

Leave a Comment